Tag Archives: Threat model


14 February 2015

I just finished a week of hard work. Some application owners asked me to run a (short!) security assessment for a single sign-on module they use in their internal database applications.

With the help of an application manager and a copy of the PLSQL code I started developing a threat model. Thanks to the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) frame developed by Microsoft, I was able to get a good understanding of the system and its weaknesses.

Generally threat modeling does not include a review of the program code. But in this case a closer look at the code was very helpful for understanding of the information flows and for answering the questions posed by STRIDE.

I can only recommend to every system development project: Start threat modeling as early as possible to get the most of it. Software quality and system security will increase dramatically, at no more costs.

Happy Valentine’s Day!


Threat modelling helps identifying the crown jewels

4 October 2014

The crux of the matter with complex application systems is, that they are composed of lots of components which communicate which each other. Most of the users, and sometimes even the IT application administrators, associate a single component, e.g. the web-service they use with their browser application, with the entire application system.

When it comes to information classification this limited view prevents the identification of the really important components, namely those where the critical information is stored and processed. As a result money is wasted for the protection of less relevant system components while critical components remain unprotected.

In these cases the development of a threat model will lead to a far better understanding of the application system.

Just start with the user’s view of the system. Arrange meetings with application developers and administrators, key user’s, system architects and administrators. Show them your model and ask them to add more details. After some time you will get a more detailed model and a much better understanding of the application system, the really important components and the information flow between the components.

Light Bulb Moment

Light Bulb Moment

On Wednesday I had such a light-bulb moment. We discussed information stored in an EH&S system. From this system Material Safety Data Sheets (MSDS) are created for shipment of dangerous goods. The carrier receives a copy and has to show this copy to the authorities on request. Why should we keep this information secret?

After some discussions we identified the system component where the really important information was stored and managed. The EH&S system holds only an extract of the information which is required to create the MSDS.

The threat model was of great help in this case. As soon as we added the new component the STRIDE approach showed us the direction to a stronger protection of the critical information.

Have a good weekend.